Hacking/Reverse Engineering a PRIVATE api
Vložit
- čas přidán 8. 05. 2019
- Hacking/Reverse Engineering a PRIVATE api
Yo guys, today I wanted to get some data from a private api, so I went ahead and did some hacking/reverse engineering to get the data from this private api.
Hacking isn't always a bad thing, and if you want to call it reverse engineering to make yourself feel better, be my guest. So today we are hacking/reverse engineering a PRIVATE api.
We ended up getting the data from the private api and that is all that matters. I do not endorse hacking/reverse engineering of any Private api's, but do what you need to do.
ALL MY THOUGHTS ARE MY OWN
reverse engineering and hacking are just a part of the technology and software engineering industry.
This type of video was inspired by Devon Crawford. Definitely one of the better CS youtubers. Devon Crawford inspired me to make better videos with his "Hacking the CZcams Algorithm 2019" video. Devon Crawford, keep making great videos.
Alright let's get to the hacking/reverse engineering a PRIVATE api.
Here is the "hacking the youtube algorithm 2019" video by Devon Crawford: • Hacking the CZcams Al...
*IF YOU ENJOYED THIS VIDEO AND YOU'RE FEELING LIKE HULK, SMASH THAT LIKE BUTTON AND SUBSCRIBE TO NEVER MISS ANY CONTENT*
#HackingAnAPI
#ReverseEngineeringAnAPI
#DevonCrawford - Věda a technologie
What other projects do you guys want to see made?
Reverse a roblox exploit api and dm the api in discord C;#5561 its calls synapse the website x.synapse.to
make a proxy for your iphone that blocks ads from youtube and spotify bonus points if you get vrv and crunchyroll. ive tried and fiddled around with similar mitm sniffing but gave up too early cuz never read any documentation or bothered to learn the fundamentals of networking
bro you have twitter account?
How to predict api result of live running website which has timestamp
Its result is updating every 3 mins
Can i have the result before the actual result time..?
Will you do an app that requires login credentials to access the app and a passcode to perform an action? No 2FA.
API protection schemes aren't all that different from developer to developer since most APIs tend to follow a similar format when it comes to security:
1. The authorization token _(be it OAuth2, JWT, Spring, Keycloak, Passport, or Auth0)_ will likely contain information regarding what sort of access you have to the API itself. So for instance if you don't have permissions to access a certain endpoint then the resulting response can simply be an HTTP 401 _(Unauthorized)_ or even an HTTP 403 _(Forbidden)_ .
*Note:* the difference between an HTTP 401 and HTTP 403 is that the HTTP 401 error is for when you provide invalid or no credentials. The HTTP 403 error is for when you lack the privileges to access the specified resource _(API endpoint in this case)_ .
2. The API server might have a rate limiter set up to limit the number of concurrent requests sent to any API endpoint within a set amount of time. This is used to prevent a single connected user from spamming the API server which uses up too many system resources for the server in question. A server that's set up to be publicly accessible will most likely have documentation on the rate limiter _(the size of the request buckets, the rate at which the request buckets are emptied, what response headers are sent whenever you are rate limited, the different types of rate limits, etc...)_ .
Typically whenever we think about reverse-engineering APIs we are more-or-less thinking about something called *"fuzzing"* which can be defined as _an automated process that injects invalid, malformed, or unexpected inputs into a system to reveal defects and vulnerabilities_ . For instance if we know the URI formatting for the API server then we can simply try to find undocumented API endpoints based on common names for said endpoints.
The thing about API developers taking inspiration from one-another is that sometimes they'll use similarly named endpoints for certain actions such as token invalidation, database searching, creating and deleting data, etc...
If the developers didn't expect for you to find those undocumented API endpoints then maybe they also forgot to give them the same level of scrutiny when it comes to securing them versus their documented or public API endpoints.
My apologies for going so deep into this topic, I am somewhat passionate about web exploitation and semantics. Good video though because it appears that so many mobile app developers don't tend to consider that a MITM could be able to intercept and manipulate API calls to exploit vulnerabilities and a ton of developers could benefit from learning this and applying it to their development process.
The first time that I wanted a comment to be longer, thank you it‘s such a concise and useful read. Where are you learning from or do you teach?
this guy knows his stuff.
thank you for your comment
API is like a bridge linking one point to another using a specific language query that it understands which is in the server of the provider stored for the client on client server
liked & subscribed
It's such a rush when you gain access to things like this, great work. Think I'm going to have a lot of fun with mitmproxy. Subscribed.
+Cyris Cloete thanks brother!
Hey dude, good job with the video. You can also use the proxy to find out the endpoint used by your phone in order to get the access token, so you are going to be able to log in from your computer and get new access tokens ( Because they probably have a TTL). Another tip is to check if the app has also a website because if they have they are probably using the same private API, so u don't even need to proxy your phone.
Nice video. This really got me thinking about my api😂
Hey Chris, Thanks for making this video. I don't know much about api but I think this can help me with a project I'm working on. Good luck with your channel.
///.####&64%//3nkwwww
Thanks Chris..you blew me away with this video. Please I need to see another video on Hacking DNS and cloud servers
bro i want api of a web based parser called a-parser coz i develop one my own but it has cloudflare is that matter , that the website has cloudflare with this method?? thanksss
such a clean and top notch video ! earn my sub in the first 10 sec , thanks for sharing dude
One more note: what you demonstrated would work if someone steals your phone, installs mitmproxy on it, and starts using the application in question. This will definitely expose how to API works - all its endpoints, payload structure, tokens, and perhaps some integrations with other APIs. However, if the API is designed correctly, you would only be able to get the data this one client is allowed to see (aka, the user whose phone was stolen, assuming he/she only has one app account). Of course, much of the data the API provides could be shared, in which case one user could potentially get access to 90% or more of the data, e.g. an e-commerce catalog that was considered "private" with respect to the membership implied by this app.
hello what did you use to send the request at minute 5:33 did you use burpsuite?
WIth these looks, you should be an actor, man :). But seriously, thanks for the video. Thumbs up of course.
Superb 👍 . The way you explained the stuff was very easy to understand. Keep it up bro 👍 👍 👍
Thanks so much! This was a really, really, really big help!
You straight look like Jesse Williams lmao. Besides that, nice job very interesting video!
Luckily it was this easy for this app, some apps implement certificate pinning, so even after you install your own certificate it just ignores it and doesnt accept the mitm requests.
How to protect own api on server from apps like packet tracers on android.
My users catches data and make from postman.
Any help on this
How would you generate fake api Key when you already have a demo Key? is It posible to reverse Engineer a Key?
I have a doubt. I use a website and I know their http requests and response. Anyone can access their site. Can I use the requests in my app without telling them or just provide credits to their website?
pretty cool, engaging work. thumbs up!
bruh u killed this video i had to rewatch video too lit !!
hmm..not really hacking if using the public request string with a valid user token.... get restricted user data from other user without token would be hacking...
exactly
Only 1.1k subscribers? You need more bro
Think I need to watch this a few times to follow what you did. Very interesting.
Drone Kings in Darwin thanks for the comment brother!
Wonderful video, man
brother why did you stop posting videos? Does anyone have his social media? urgent !!! does anyone know how to find api?
This is amazing! Companies really need to start caring about their APIs
+Govind Prasanth thanks brother, and I know. Just open source the API and people will work on it and make it better for FREE! I don’t get it. It’s greedy
F12 ... Companies steal all the time.
Great video 🤘🔥🔥🔥
I totally agree, these api should have been open source to the public.
Can you use this method to post data to their server?
Awesome video!
As a result, do u recommend to developers to secure the api with Oauth2 ?
You'll get the same result with oauth the token itself is not important. the token expires, the gen method is what is important he talks about hashing but web tokens aren't hashed anymore as they carry no data. What he is likely referring to is the old JWT tokens which were hashed because they carried important info in them these new tokens use a random string gen so you can't decode them, you need the algorithm that was used to generate them. in fact you don't even need to do a MITM attack to get your token just open the developer inspect tool on your browser go to application tab and click on cookie, your auth token is in there
Cool coordinates.
Next video: Bypass ssl pinning.
is that possible? i've been playing around with man in the middle for last few months and ran into this issue with ssl pinning the other day
@@brimmed Yes, Frida + hooking to specific functions.
Ssl kill switch 2
@@brimmed use android, root it, install xposed framework, install SSLUnpinning module, now with SSlunpinning module you can select witch app u want to unpin.
note: on well made apps like instagram or facebook this method doesen't work, in this case you need to sear a modded apk
@@obywonimaccheroni-5750 can I do this with an emulator or need an actual device
Big companies that private their APIs are indeed annoying, but let's not generalize this
Remember that when you take stuff from an API you're not supposed to have access to, you're essentially using the money and resources of the company behind it, without giving them anything in return.
So let's avoid doing that to small companies & devs
Great video :)
but only debug app and web will be intercepted, when i open random apk what i've install from play store then mitm proxy doesn't work to intercept the request and the app return error ssl bla bla bla(ca-certificate had been installed), or infinite loading
you need to bypass ssl pining
that was awesome!!!
Well done.. I was wondering how my coder was doing it. WE are using the exact process to set up a multiple API. Well done breaking it down!
This guy is a Noob. You could simply use a short expiry time and that key becomes useless. If these guys wanted to protect their api he couldnt have seen that key unless he logged in.
@@khalifarmili1256 so users have to log in every minute with your short expiry time? who wants to use an app that constantly wants you to log back in all the time dude
Intercept the authentication call to be able to generate tokens. In oauth2 a token is usually valid around 2 min depending on what was set by admins
Auth calls don't carry any information, it's just a GET request with a couple headers and a cookie gen client-side, and oauth is a lot longer than that usually. I have used an oauth token for over 24 hours on most sites, shortest I have seen is 6 hours. token gens are done completely server-side and don't get sent over HTTP/S requests.
@@crysiscontained4421 What he is trying to say is that you can intercept oauth refresh token which is commonly used to generate new access tokens. And when you say "token gens" you're referring to the private key. Private keys may not get sent over http but refresh tokens and access tokens surely do.
Hey, I'm not able to capture https requests.
So what you actually did was get JSON response with the data you already have in your phone?
Yes that's what he did, what he doesn't know is that token expires and without the ability to reverse engineer how that access token is generated he will have to do the same thing again once it does. The token is probably generated using a random string algorithm which is damn near impossible to predict. These types of web tokens don't carry any information like the olden days of the JWT tokens did. Their api is safe for another day. Can't decode it cause there's no hash so nothing to decode. What he needs is the mathematical algorithm they used to generate the token to begin with, that's what they are keeping safe. It's even harder to do with a login version since that token would be tied to your credentials in /their/ db.
@@crysiscontained4421 JWT tokens still do and will always carry public information... and the whole purpose of the JWT is for the API to be stateless so the token doesnt need to be stored on any DB. Some implementations do save the tokens tho but its not recommended, there are other ways to go around that problem.
The reason they are private is to release stress on the api's..
Well looks like i won't be using rest API's lol... what about gRPC? is that easy to hack?
did you put eye liner and mascara to your eyes?
Great video thanks
he pulled a devon crawford
Thank's chriscodes
keep up the good work ^_^
+Malik Dernawi thanks brother!
So guys if you don't understand what he actually did is he intercepted his request from phone app into the his pc using mitmproxy and then he used access_token value to get the results without using the app and he got succeeded
Respect the hustle
That was great.. How much per hour for a personal tutoring?
Man in the Middle 101
I don't even know how i manage to understand all that.
this is why you use cors
nah bro chill not trying at my home,instead at my friend!
it isn't an issue, it's normal behavior of API's. The problem would exists if You could access resources, which weren't destined to You.
how can contact with YOU
terrible idea not scrubbing that geo location data
3:24 how you get the access token without the credentials. Are you using Postman for the POST req? 5:09 like I’m confused on how you got the access token, this is like magic. Like how Sway???
For that only he had created a proxy...which logs all the data flowing through it.
How can I connect with you bro
Can you make a tutorial about API for beginners 🙏🏾
Bit lame without figuring out the hashing
Holy crap I was looking for a way to find the person that hacked my gmail and i find this gem for my personal project
do you put eyeliner
Can you this for Snapchat app?
Uh didn't you dox yourself on this one? I'm seeing coords that lead to a house. Might wanna look into that.
Is it possible to hack firebase database ?
Can we delete or change all firebase data of a android application
now dan im not deletd folow mw
thxxx it's amazing, but why do keep telling us not to try it, is it illegal ? i need to make an app that uses some banks data but their apis are private, is it legal or not to get them like this because i don't wanna get in troubles honestly
pretty sure its illegal
NICE
Do it for Leetcode
maaaan thank you
Can you another video explaining more about this installation
There's a medium post
BRO THANK YOU
no like actually thank you
legend
you could do that with post man also. it have a tool for reverse engeneer an api
did you manage to get it to work?
yes I did. you have to download the chrome pluging. I actualy dont remember how it works. I did that a long time ago. But what i can say is that i had a hard time with that because they dont have the tutorials on their site updated but you can also find tutorials from other ppl in the web. Once you do it once, it will look easyer to repeat.
Scrapping pls. Now big companies are investing on anti-scrapping methods
Security (access codes) are often not important from an ISV's point of view. APIs are often "private" not because of any security concern but so that the ISV can change THEIR OWN APIs without needing backward compatibility and so on. They're not private for commercial reasons but technical ones. So, of course, if you write your app against private APIs then don't complain if they break in the next version. Public APIs require far greater support. By all means use private APIs, but why not also contact the ISV and ask them to make their API public? Or even (here's an idea) pay them to use their software, in the form of a support contract...
Let me get this straight: Security is a HUGE concern, but in your example, you ALREADY HAD THE ACCESS CODES, you ALREADY HAD THE KEY. So, that is entirely irrelevant that the API uses that key.... what you were arguing is to make private APIs public, and implying that they are private as some kind of security-through-obscurity, when that is not really the intent most of the time. As soon as you publish an API you have all sorts of forward and backward compatibility problems that are mitigated by having private, unsupported APIs. If you want the API to be supported, pay to support it.
Can anyone here help me identify my ex-girlfriend as my cyberstalker so I can put a stop the constant harassment??? She works in law enforcement and is abusing the resources available to her to harassment and anyone connected to me. This has been going on for 4 years now... PLEASE HELP ME BRING HER DOWN! I have no problem paying a fair price $$$ for SOLUTION BASED help!
@@mikechickenman Exactly, it is absurd to me people watch this and be impressed. This dude already has access to the API, he even has an api key to use. He just gained control over something he already had control over, how impressive lol.
Can't you just use chrome to intercept?
Umm, on a mobile app?
I'm just gonna pretend I understood
@Paul : I know this is a little late but I'd suggest looking at czcams.com/video/BxV14h0kFs0/video.html by Tom Scott
Did I miss something? Why are you using your phone. What aren't you using your PC to do this?
Because the app runs on his phone.
@@LiEnby Yes, but the website is an app also.
so basically, this is not hacking
This is reverse engineering .
this is not exactly private, a private api should have a signature then you would need to work on their algo, which requires reversing their app. lol
hi dear can you do reverse engineering api tiktok i will pay you
Can I hack ROBLOX accounts using thisv
it's impossible to do that on Android phones so companies are not worried so much but of course, there is a certain ways to hack them
Funny and naive
@@LiEnby Yep you're right. I was naive at that time and actually it's fairly easy to do on android
You look like John Cena
Api means fire in indonesia
Pretty
they will catch you you posted it hhh
This is basically Session hijacking right?!!!
if the api key expires in a given time (session) then yes but otherwise not really it's just bad programming by the company lol
Use burosuite
Wtf you look like the android from Detroit become human
Careful, 5:20 is you coordinates..
what a shame they are not using ssl pinning
Literally pointless 😭
u could have just used burp
I actually prefer this
Hack a bank app
Play around with xbox api :p
lame broski hit me up when u hack the nsa kappa kappa kappa
Bro can we hack online ludo games with reverse engineering
Can u modify games like pubg mobile